27 September 2007

Operational Risk is about Performance Management and Business Resilience. A few months ago the topic of Compete or Die was discussed here. Why revisit this topic? CEO's and the Board of Directors realize the road to eliminating fear in their organization and the marketplace is through trusted information.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room. Working towards control and protection while "fear" builds in the back of your mind makes you stiff, depletes your energy and creates doubt. And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to homeland security and critical infrastructure protection is operational risk management—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

There are numerous examples of how errors, omissions and glitches have brought down the reputations of many a Fortune 500 companies. What do they all have in common that led to their demise? A lack of economic and business resilience to remain competitive in the marketplace.

The threat of Tort Liability and the loss of reputation is top of mind these days with every major global company executive. The threat is real and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term Legal Risk new emphasis and meaning.

Once corporate management understands the need for a "resilience" mentality in place of a "protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive. It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in it's adaptability can be achieved with a new perspective. Compete or die.

Performance Management could be enabled or suppressed by the amount of power you give your leadership. Do they have the ability to make a $1M decision or $10K decisions when it comes to investing budgeted capital into their business unit growth? Do they manage risk on a level where they are the most informed and the most knowledgeable about the business, or is the "Mother Ship" back at the home office dictating the way they spend or the way they invest?

PNC Bank has been converging functional business units as a way to impact their operational intelligence strategy. Do you have fraud management and Anti-Money Laundering (AML) programs that are operating without strategic coordination? Increasing the performance of operational risk sometimes requires the sharing of intelligence across boundaries and business units:

Ann Mele, PNC's Director of Financial Intelligence says "unification of corporate structures, operational processes and subject-matter-expertise presents the opportunity to combat fraud and AML issues more effectively and efficiently. We can now capture analyze, and disseminate information in a manner that proactively identifies threats before losses or major customer impact occurs."

The ability to know how to manage risk at the point of creating new information is the nexus of several disciplines and requires substantial training. Every minute that goes by with people not behaving correctly puts the enterprise at greater risk to lost performance opportunities.

All these issues can be summed up in a single concept:trusted information. Simply accessing data is no longer enough. Today's CEOs, CFOs and knowledge-workers must be able to reliably track the information they use for decisions back to the original source systems in order to ensure its timeliness, accuracy and credibility.

Over the last decade, organizations have invested millions of dollars in systems to collect, store and distribute information more effectively. Despite this, information users at all levels of the organization are often uncomfortable with the quality, reliability and transparency of the information they receive.

Today's organizations rarely have a "single view of the truth." Executives waste time in meetings debating whose figures are correct, rather than what to do about the company's issues. Additionally, they worry about the consequences of making strategic decisions using the wrong information, directly impacting the long-term survival of the organization.

The search for trusted information is a continuous pursuit for commanders in the "Mission Ready Room" and the "Corporate Board Room". So how do you achieve the level of assurance that's required to make the "bet the farm" risk management decisions in your enterprise?

20 September 2007

There are 6,000,000 reasons why Operational Risk at TD Ameritrade is in the Red Zone this week as a result of what seems to be a case of malicious code discovered last week, or over a year ago.

This author received a recent letter from TD Ameritrade regarding their so called pseudo "breach". And we quote:

"While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain information stored in one of our databases, including email addresses, to be retrieved by an external source."

What is absolutely amazing is the request to visit www.amtd.com for more information and a list of Frequently Asked Questions (FAQs) and an additional message from me, (The CEO Joe Moglia). The link to this message requires you to run Windows Media Player for what must be a sincere apology. However, the PR department must not know how many malicious code exploits are associated with .wmv files. Nor, how many people still do not have broadband connections as a consumer.

But that is not even the most fascinating aspect of this whole incident. The story gets even more disturbing if it is indeed true:

Scott Kamber of Kamber & Associates, a New York law firm that sued Sony BMG last year for its use of a rootkit, told InformationWeek on Monday that the lawsuit initially claimed that Ameritrade knew about the data breach last November. However, he says he now has information that the company knew about the ongoing breach a full year ago.

Kamber, who filed the suit this past May, had recently filed a preliminary injunction asking the court to compel Ameritrade to disclose the data breach and the compromised information to current and prospective customers. The company was given a two-week adjournment and made the public announcement during that recess.

"I am glad customers finally know of the compromise of their personal information," said Kamber. "I'm not pleased it took the company so long to do that."

Hillyer said she could not comment on ongoing litigation but said, "As soon as we discovered it, we stopped it. And as soon as we had gathered enough information, we notified our clients."

Ameritrade notified the FBI and the U.S. Securities and Exchange Commission last week, according to the spokeswoman.

It's apparent that the nexus of Information Security, Digital Forensics, eDiscovery, Legal Risk and Reputation Management have imploded in Bellevue, NE yet this will not be the last place we hear about this kind of incident. If a Rootkit is on a server there, you can be sure that there are others at a another broker or investment management firm near you.

Being vigilant about protecting privacy and doing the right thing with customers in the event of a breach has significant legal ramifications, that is for certain. What is less known at this point are the processes and corporate behavior that could be even more of a source of liability for TD Ameritrade. Who what how and why is now under investigation and will play out in a court room again soon.

The degree that any firm in the industry is "Litigation Ready" or has adequately prepared for this particular nexus between the elements of Information Security and the Law will determine the amount of Operational Risk they are potentially exposed to in incidents like this one. How can any firm prepare for an event similar to this?

1. Conduct a Litigation Readiness Audit of the firm.

2. Develop a strategic plan for achieving a "Defensible Standard of Care."

3. Train the stakeholders on Crisis, Command and Control.

4. Implement an early warning data analytics system to preempt potential threats.

Number four on this list pertains to something that is also in the authors letter. "As part of our effort to protect privacy, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft." Let's just hope these guys didn't load up a CD at their shop handed over to them by TD Ameritrade with 6,000,000 records of personal identifiable information on it.

14 September 2007

True or false: A large corporate private sector company hires an outside counsel to investigate an employee suspected of fraud. The outside counsel hires a fraud examiner to look into the facts. The fraud examiners report to the outside counsel will assist in determining whether a crime has been committed. The report and the communications with the outside counsel are protected confidential work product and is privileged. If you don't know the answer, read on.

Organizations who realize that internal investigations can pose a tremendous risk of litigation are ahead of the Operational Risk Management curve. Being proactive about prudent strategy on how to address the potential internal employee fraud is imperative, especially if you plan to pursue litigation to try and recover the stolen assets.

The two primary areas of emphasis here for the purpose of what information is discoverable is the attorney-client privilege and the work product doctrine: This Texas case from the Texas Bar Journal article by Derek Lisk illustrates the point:

In yet another case in which one party sought to protect documents from an investigation on privilege grounds, the U.S. District Court for the Eastern District of Texas took a more expansive view of the privilege. In-house counsel for Electronic Data Systems (EDS) hired outside attorneys, who in turn hired a consulting firm, to independently analyze and report on alleged misuse and misappropriation of assets by an EDS employee, Mr. Steingraber. In the ensuing litigation, EDS objected to producing documents from the investigation.

Steingraber, like Seibu Corp., argued that the documents were not privileged “because they were made to facilitate a business decision rather than the rendition of professional legal services.” This court, however, sided with the party seeking to protect the documents, finding Steingraber’s interpretation of the privilege “unduly narrow” and disagreeing with Seibu Corporation to the extent it held otherwise. Among other things, the court said, “The fact that the attorneys may have been hired to facilitate a business decision does not mean that such a decision was devoid of legal consequences.” Because EDS hired the outside lawyers to contribute legal expertise, including contract interpretation, risk evaluation, witness interviews, and evidence evaluation, the communications between them were “for the rendition of legal services.”

The status of H.R. 3013 in the US House of Representatives is unknown as it goes to be debated in committees:

7/12/2007--Introduced.

Attorney-Client Privilege Protection Act of 2007 - Amends the federal criminal code to prohibit any U.S. agent or attorney, in any federal investigation or criminal or civil enforcement matter, from demanding, requesting, or conditioning treatment on the disclosure by an organization (or affiliated person) of any communication protected by the attorney-client privilege or any attorney work product.

Prohibits a U.S. agent or attorney from conditioning a civil or criminal charging decision relating to an organization (or affiliated person) on one or more specified actions, or from using one or more such actions as a factor in determining whether an organization or affiliated person is cooperating with the government.

The question on the table here is how much as a corporation do you want to cooperate to prosecute the employee? It may make sense as a corporation to waive some rights to help recover your losses. How you architect a process for engaging outside counsel, independent investigators and fraud examiners in order to mitigate Legal Risk is crucial. The information exchanged, obtained in the process and communicated between parties must be done correctly. Not only to protect the information under the new Federal Rules of Civil Procedure but to insure the integrity and trust of the information itself.

A Board of Directors that oversees the governance of hundreds or thousands of employees is going to be continuously subjected to corporate malfeasance and white collar crime matters. The rule of law within the halls of the organization must be clear and precise. The mechanisms for the company to cooperate with investigators may mean the difference between an employee that creates irreversible economic damage to the enterprise or even worse. Our national security.

07 September 2007

Risk in the supply chain may not always come from that vendor who provides your power, water or telecommunications. Black Market Peso Exchange (BMPE) is an Operational Risk that is starting to gain more awareness with Internal Auditors. This has been around since the 1980's yet even today some of our most sophisticated financial services institutions are being subjected to this system of fraud. The BMPE has been another way for money laundering from illicit criminal drug proceeds to impact our risk management controls:

American Express Bank International's anti-money laundering program was deficient in three of the four core elements. Namely, the Bank failed to implement adequate internal controls, failed to conduct adequate independent testing, and failed to designate compliance personnel to ensure compliance with the Bank Secrecy Act. American Express Bank International's high-risk customer base, product lines, and international jurisdiction of operations required elevated measures to manage the risk of money laundering and other financial crimes.

Nevertheless, the Bank conducted business without adequate systems and controls reasonably designed to manage the risk of money laundering, including the potential for Black Market Peso Exchange transactions that may be used by Colombian drug cartels to launder the proceeds of narcotics sales. American Express Bank International's failure to comply with the Bank Secrecy Act and the regulations issued pursuant to that Act were serious, repeated and systemic.

This method of money laundering is effective for the drug traffickers and requires more awareness on the behalf of fraud examiners and independent auditors. The IRS form 8300 requiring companies and financial entities to disclose receipts in excess of $10K in cash or equivalents doesn't work very well as wire transfers are not considered cash or cash equivalents.

A point is made that needs to be emphasized here. "Don't rely on banks and financial institutions to conduct anti-money laundering (BSA/AML) procedures on behalf of the company." Is it possible that your organization has purchased inventory with funds that have been utilized as part of the BMPE scheme? What about resellers and distributors that are part of your own revenue supply chain.

In terms of Independent testing, make sure that your Internal Audit department is educated and aware of this particular mechanism for use by money launderers:

American Express Bank International's independent testing of its Bank Secrecy Act program was ineffective. Internal Audit Staff lacked sufficient training and knowledge to facilitate compliance with the Bank Secrecy Act. Audit scopes were not always tailored or designed to capture and test for compliance with certain requirements of the Bank Secrecy Act.

Internal Audit staff also failed to conduct sufficient customer transaction testing to adequately evaluate the overall sufficiency of the anti-money laundering program at the Bank. Furthermore, Internal Audit failed to assist management with tracking and following-up on previously identified regulatory examination deficiencies. In addition, Internal Audit failed to conduct adequate testing of the suspicious activity monitoring system or identify the numerous data integrity concerns associated with this system for an extended period of time. The ineffectiveness of the Internal Audit function at American Express Bank International contributed to the failure to identify significant deficiencies in this system before 2007.

03 September 2007

A week or so from now around 8:30AM on the East Coast of the United States there will be many people remembering where they were six years ago. On September 11, 2001 we will stop and observe a minute of silence and reflect on all that has changed and been accomplished and what has stayed the same. It may seem like a distant memory for some, yet a bad dream from last night for so many others.

Sharing intelligence or the valuable aspects of relevance, to you, or your enterprise requires the proper tools and mechanisms. This is a given. However, all the operational risk tools and systems will never be the entire answer to finding the "needle in the haystack" or "connecting the dots". The DNI has been implementing the right kinds of methods and applications to help solve the equation for preventing catastrophic incidents of the magnitude of 9/11 in search of the correct answers:

It's hard to imagine spies logging on and exchanging "whuddups" with strangers, though. They are just not wired that way. If networking is lifeblood to the teenager, it is viewed with deep suspicion by the spy.

The intelligence agencies have something like networking in mind, though, as they scramble to adopt Web technologies that young people have mastered in the millions. The idea is to try to solve the information-sharing problems inherent in the spy world - and blamed, most spectacularly, for the failure to prevent the Sept. 11, 2001, attacks.

In December, officials say, the agencies will introduce A-Space, a top-secret variant of the social networking Web sites MySpace and Facebook. The "A" stands for "analyst," and where Facebook users swap snapshots, homework tips and gossip, intelligence analysts will be able to compare notes on satellite photos of North Korean nuclear sites, Iraqi insurgents and Chinese missiles.

Sharing information is not the hard part. Analyzing it with the "grey matter" necessary to put 2 + 2 together beyond the capability of the algorithms of the software requires training and extreme context. Corporate Enterprises have been utilizing similar systems and tools on their secure Intranet's for years and the agencies are now taking the lessons learned and applying these to the social networking community of their analysts. Smart strategy as many of these "Outsourced" entities are operating from the private sector NOC or SOC and have been delivering intelligence products long before they were hired to do so for the government.

Observing the lessons from the Financial Services Industry on what works and what is treading on thin ice can be a helpful example. Sharing intelligence across organizations, platforms and between competitors has been the norm at SWIFT:

SWIFT is the industry-owned co-operative supplying secure, standardised messaging services and interface software to over 8,100 financial institutions in 208 countries and territories. SWIFT members include banks, broker-dealers and investment managers. The broader SWIFT community also encompasses corporates as well as market infrastructures in payments, securities, treasury and trade. Over the past ten years, SWIFT message prices have been reduced over 80%, and system availability approaches 5x9 reliability — 99.999% of uptime.

Swift is considered the nerve center of the global banking industry, routing trillions of dollars each day between banks, brokerages and other financial institutions. The group's partnership with the U.S. government, first revealed in media reports in June 2006, gave officials at the CIA access to millions of records on international banking transactions in an effort to trace money that investigators believed might be linked to terrorist financing. Swift agreed to turn over large chunks of its database in response to a series of unusually broad subpoenas issued by the Treasury Department beginning months after the attacks of Sept. 11, 2001.

At 8:30AM on 9/11 2007 during our moment of silence we can only pray that our Intel sharing continues and doesn't get strangled by those who have forgotten this day of remembrance.

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke